Internet privacy and the right to be forgotten

When it comes to privacy, the Internet has long been something of a Wild West but that that is starting to change, with regulators in Europe and the United States beginning to pull in the reins.

On both sides of the Atlantic, officials are scrutinizing how companies such as Facebook and Google handle users' personal data, as they draw up plans to protect surfers while ensuring the growth of rapidly expanding social media, search engine and other Web-based businesses.

In the first sign of where Europe may be headed with its privacy regulations, the European Union announced this week that social networking sites and search engines could face court action if they fail to obey new EU data privacy rules.

Under proposals to be fleshed out in the coming months and that will update 16-year-old data-protection laws, the European Commission wants to force companies holding data to allow users to withdraw it from websites, calling it the right to be forgotten.

Companies would also have to provide more information on what data they have collected from people and why.

Any company operating in the EU market or any online product that is targeted at EU consumers must comply with EU rules, Viviane Reding, the European commissioner in charge of justice issues, said in a speech this week.

To enforce EU law, national privacy watchdogs will be endowed with powers to investigate and engage in legal proceedings against non-EU data controllers, she added.

Reding said that EU-based privacy watchdogs should even be given powers to enforce compliance outside Europe, which could include access to U.S.-based servers and other data sources.

While privacy campaigners and Internet users may be pleased to hear what Reding has to say, her words will cause concern in parts of the United States, where many of the biggest and most successful search engines and social media companies are based.

Europe and the United States have traditionally differed on privacy issues, with the EU taking a stronger regulatory approach and U.S. officials more mindful of the need to balance entrepreneurship and business demands with data protection.

But in recent weeks, as U.S. privacy experts have visited Brussels to try to close the gaps between the two regulatory frameworks, officials have emphasized how closely they are working together to come up with a common set of standards.

I think our baseline understanding of the rules is very similar, said Fiona Alexander of the U.S. Department of Commerce, who was in Brussels this month to meet EU regulators. The implementation in the past may have been different.

LEVEL PLAYING FIELD

The EU and U.S. already agree on some general concepts, such as the idea that privacy safeguards need to be designed into Web products from the start. They also both want to require Web browsers to offer a do not track option to users.

But differences remain on specifics and philosophy.

EU officials are adamant that companies should obtain explicit permission from users before every use of their data -- such as through a pop-up consent box -- while that is not something U.S. regulators are pushing for, EU officials say.

The right to be forgotten is also a concept that goes against the grain for U.S. regulators, who favor a broader definition of freedom of information.

In a sign of where Europe is going and how complex applying the law could become, Spanish data protection authorities ordered Google in January to remove links to more than 80 news articles mentioning people by name, saying it violated privacy.

The case has been referred to Europe's highest court.

Some companies, such as Microsoft, support the effort by the European Union and the United States to align their policies, saying it will result in clearer, more uniform rules.

Companies need solid, clear rules to be able to continue to invest and to be competitive, said John Vassallo, Microsoft's vice president of EU affairs. Now, there are too many competing rules.

But even within individual EU countries, privacy rules vary so much that lawyers say it would be almost impossible for a multinational company to be compliant in all 27 EU countries.

That suggests that Reding and her EU regulatory team will have their work cut out if they are to draw up a clear and workable policy in the months ahead, and one that fits well with the rules U.S. regulators are also drawing up.